Why Is NSO Group Asserting Sovereign Immunity in WhatsApp Litigation?
On April 2, private surveillance company NSO Group filed a
motion to dismiss WhatsApp’s lawsuit over the alleged hacking of 1,400
cellphones running the WhatsApp application. Among the laundry list of
arguments made by NSO Group, the most salient was the surveillance company’s
contention that its business with foreign governments entitled it to immunity
from suit in U.S. court. WhatsApp, the end-to-end encrypted messaging
application owned by Facebook, filed its opposition brief shortly after,
challenging NSO Group’s theories for immunity.
NSO Group’s briefs attempt to claim foreign sovereign
immunity in two distinct ways. First, NSO Group pairs the Foreign Sovereign
Immunities Act (FSIA), the law that limits whether a foreign state can be sued
in U.S. court with Federal Rule of Civil Procedure 19 (Rule 19), the rule that
governs the joinder of parties in civil lawsuits. The brief suggests that,
together, these provisions disqualify this lawsuit entirely. According to NSO
Group, permitting this lawsuit to continue would prejudice the interests of NSO
Group’s sovereign clients who are immune from suit under the FSIA. Second, as a
fallback, NSO Group asserts immunity for itself. NSO Group argues that it
enjoys common law derivative immunity as the agent of sovereign governments
that allegedly purchased its Pegasus malware and then used NSO Group services
to spy on WhatsApp users.
NSO Group also appended to its motion to dismiss a short
statement by CEO Shalev Hulio that was meant to demystify both its company policy
and its relationship to sovereign clients. According to Hulio, NSO Group
conditions the use of its Pegasus malware on an agreement that its “government
customers” will not use the technology for “human right violations” but,
instead, for law enforcement purposes and for combating terrorism. Further,
Hulio denied that NSO Group manages the operation of its Pegasus technology
once the software has been licensed to its clients, explaining that NSO Group
offers only “technical support” and does so “entirely at the direction of their
government customers.”
Though NSO Group has yet to name any of its sovereign
clients, this statement by Hulio fits thematically with the foundational claim
being made in NSO Group’s briefs: We didn’t hack WhatsApp; our clients did.
This claim supports both of NSO Group’s immunity theories—first, that NSO
Group’s foreign sovereign clients are indispensable to the resolution of this
case; and, second, that any hacking attributable to NSO Group was at the
direction of its sovereign customers.
NSO Group never actually asserts sovereign immunity for
itself under the FSIA. Indeed, any claim to derivative immunity for NSO Group
under the FSIA, 28 U.S.C. §§ 1602-1611, is a nonstarter. Only foreign states
and their “agenc[ies] or instrumentalit[ies]” qualify for immunity under the
FSIA. Section 1603(b) of the FSIA defines an “agency or instrumentality of a
foreign state” as an entity:
which is a separate legal person, corporate or otherwise,
and
which is an organ of a foreign state or political
subdivision thereof, or a majority of whose shares or other ownership interest
is owned by a foreign state or political subdivision thereof, and
which is neither a citizen of a State of the United States
as defined in section 1332 (c) and (e) of this title, nor created under the
laws of any third country.
The two parties agree that NSO Group fails to meet the
second prong of this definition—it is “a for-profit commercial company” that is
neither an organ of nor owned by a foreign state.
Rather, NSO Group introduces the FSIA in service of another
tactic altogether. NSO Group argues that including its clients—sovereign
governments that purchased NSO malware—is necessary to this case, where their
absence disqualifies the lawsuit. Here’s how that tactic is meant to play out:
First, NSO Group argues that it did not hack WhatsApp; its sovereign clients
did. Second, since sovereign governments caused WhatsApp’s alleged injuries,
they are required parties to this lawsuit. Third, as required parties, WhatsApp
must join these governments to the lawsuit under Rule 19. Fourth, if the
governments must be joined as required parties, but are immune under the FSIA
(and thus are immune from suit in U.S. courts), then the entire lawsuit should
be dismissed because a judgment in their absence will be prejudicial.
As NSO Group notes in its reply brief, Republic of
Philippines v. Pimentel, a case where the Republic of the Philippines was
interpled in order to resolve its claim to disputed assets, lends some support
to such an argument. Under Pimentel precedent, NSO Group correctly recognizes
that “a case may not proceed when a required-entity sovereign is not amenable
to suit.”
Nevertheless, its reliance on Pimentel is wanting.
First, NSO Group is a long way from proving that its
government-clients are required parties under Rule 19(a)(1). NSO’s clients
would be required parties only if excluding them would give WhatsApp
insufficient relief, or if excluding the sovereign clients would prevent them
from protecting some interest they may have in the lawsuit. Though NSO claims
that WhatsApp’s complaint seeks to enjoin its clients, WhatsApp was clear in
their opposition brief that they only seek relief from NSO Group. Further
still, NSO Group has yet to name any of its sovereign clients or describe the
nature of their interests in this lawsuit. And given that NSO Group was
allegedly facilitating covert state espionage, it seems unlikely that NSO Group
will name its sovereign clients.
Second, NSO Group is gaming Rule 19 and the Pimentel
precedent—the court might view this unfavorably. In Pimentel, the Republic of
the Philippines was named in the suit from the very beginning. It then asserted
sovereign immunity under the FSIA for itself, a sovereign nation. Here, NSO Group
(the defendant) appears to be pulling sovereign governments into the fray in
order to use their immunity as a shield where WhatsApp, under the most probable
reading of their original complaint, has not named these governments.
Considering these factors, the court may well find NSO Group’s intertwined FSIA
and Rule 19 argument to be too clever by half.
Derivative Immunity Under Common Law
NSO Group also asserts that it may enjoy derivative
immunity, not under the FSIA, but under common law. As both parties recognize,
claims of common law derivative immunity are relatively commonplace for
domestic contractors working with the U.S. government. But the law is murkier
where common law derivative immunity is asserted by a private company working
in service of foreign governments.
Comments
Post a Comment